commit 8fd8669d36e9f422beae4ce39a643490d6202010
parent f0300128db19bf86fa0d7f91906956ed0529398c
Author: Zack Newman <zack@philomathiclife.com>
Date: Wed, 8 May 2024 12:54:27 -0600
openbsd requires dns pledge now
Diffstat:
5 files changed, 17 insertions(+), 38 deletions(-)
diff --git a/Cargo.toml b/Cargo.toml
@@ -9,7 +9,7 @@ license = "MIT OR Apache-2.0"
name = "rpz"
readme = "README.md"
repository = "https://git.philomathiclife.com/repos/rpz/"
-version = "0.6.1"
+version = "0.6.2"
[lib]
name = "rpz"
@@ -21,11 +21,11 @@ path = "src/main.rs"
[dependencies]
ascii_domain = { version = "0.6.1", default-features = false }
-num-bigint = { version = "0.4.4", default-features = false }
-reqwest = { version = "0.12.2", default-features = false, features = ["brotli", "deflate", "gzip", "rustls-tls-native-roots", "trust-dns"] }
-serde = { version = "1.0.197", default-features = false }
+num-bigint = { version = "0.4.5", default-features = false }
+reqwest = { version = "0.12.4", default-features = false, features = ["brotli", "deflate", "gzip", "rustls-tls-native-roots", "trust-dns"] }
+serde = { version = "1.0.201", default-features = false }
superset_map = { version = "0.2.3", default-features = false }
-tokio = { version = "1.36.0", default-features = false, features = ["rt", "time"] }
+tokio = { version = "1.37.0", default-features = false, features = ["rt", "time"] }
toml = { version = "0.8.12", default-features = false, features = ["parse"] }
url = { version = "2.5.0", default-features = false, features = ["serde"] }
zfc = { version = "0.3.2", default-features = false }
@@ -33,17 +33,10 @@ zfc = { version = "0.3.2", default-features = false }
[target.'cfg(target_os = "openbsd")'.dependencies]
priv_sep = { version = "1.0.1", default-features = false, features = ["openbsd"], optional = true }
-[build-dependencies]
-rustc_version = "0.4.0"
-
[features]
priv_sep = ["dep:priv_sep"]
default = ["priv_sep"]
-[package.metadata.docs.rs]
-all-features = true
-rustdoc-args = ["--cfg", "docsrs"]
-
[badges]
maintenance = { status = "actively-developed" }
diff --git a/build.rs b/build.rs
@@ -1,12 +0,0 @@
-use rustc_version::{version_meta, Channel};
-
-fn main() {
- // Set cfg flags depending on release channel
- let channel = match version_meta().unwrap().channel {
- Channel::Stable => "CHANNEL_STABLE",
- Channel::Beta => "CHANNEL_BETA",
- Channel::Nightly => "CHANNEL_NIGHTLY",
- Channel::Dev => "CHANNEL_DEV",
- };
- println!("cargo:rustc-cfg={}", channel)
-}
diff --git a/src/lib.rs b/src/lib.rs
@@ -12,7 +12,7 @@
#![feature(btree_cursors)]
#![feature(byte_slice_trim_ascii)]
#![feature(io_error_more)]
-#![cfg_attr(all(doc, CHANNEL_NIGHTLY), feature(doc_auto_cfg))]
+#![cfg_attr(doc, feature(doc_auto_cfg))]
#![deny(
future_incompatible,
let_underscore,
diff --git a/src/main.rs b/src/main.rs
@@ -2,7 +2,7 @@
//!
//! Consult [`README.md`](https://crates.io/crates/rpz).
#![feature(never_type)]
-#![cfg_attr(all(doc, CHANNEL_NIGHTLY), feature(doc_auto_cfg))]
+#![cfg_attr(doc, feature(doc_auto_cfg))]
#![deny(
future_incompatible,
let_underscore,
diff --git a/src/priv_sep.rs b/src/priv_sep.rs
@@ -17,13 +17,14 @@ use std::{
#[derive(Clone, Copy)]
pub struct Zst;
/// Calls `pledge` with only the sys calls necessary for a minimal application
-/// to run. Specifically, the `Promise`s `Cpath`, `Inet`, `Rpath`, `Stdio`, `Unveil`, and `Wpath`
+/// to run. Specifically, the `Promise`s `Cpath`, `Dns`, `Inet`, `Rpath`, `Stdio`, `Unveil`, and `Wpath`
/// are passed.
#[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
#[inline]
-pub fn pledge_init() -> Result<Promises<6>, Error> {
+pub fn pledge_init() -> Result<Promises<7>, Error> {
let promises = Promises::new([
Promise::Cpath,
+ Promise::Dns,
Promise::Inet,
Promise::Rpath,
Promise::Stdio,
@@ -48,7 +49,7 @@ pub const fn pledge_init() -> Result<Zst, !> {
/// instead of an RPZ file.
#[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
#[inline]
-pub fn pledge_away_create_write(promises: &mut Promises<6>) -> Result<(), Error> {
+pub fn pledge_away_create_write(promises: &mut Promises<7>) -> Result<(), Error> {
promises.remove_promises([Promise::Cpath, Promise::Wpath]);
promises.pledge()
}
@@ -62,7 +63,7 @@ pub fn pledge_away_create_write(_: &mut Zst) -> Result<(), !> {
/// Removes `Promise::Unveil`.
#[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
#[inline]
-pub fn pledge_away_unveil(promises: &mut Promises<6>) -> Result<(), Error> {
+pub fn pledge_away_unveil(promises: &mut Promises<7>) -> Result<(), Error> {
promises.remove(Promise::Unveil);
promises.pledge()
}
@@ -73,11 +74,11 @@ pub fn pledge_away_unveil(promises: &mut Promises<6>) -> Result<(), Error> {
pub fn pledge_away_unveil(_: &mut Zst) -> Result<(), !> {
Ok(())
}
-/// Removes `Promise::Inet`.
+/// Removes `Promise::Dns` and `Promise::Inet`.
#[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
#[inline]
-pub fn pledge_away_net(promises: &mut Promises<6>) -> Result<(), Error> {
- promises.remove(Promise::Inet);
+pub fn pledge_away_net(promises: &mut Promises<7>) -> Result<(), Error> {
+ promises.remove_promises(Promises::new([Promise::Dns, Promise::Inet]));
promises.pledge()
}
/// No-op that always returns `Ok`.
@@ -90,7 +91,7 @@ pub fn pledge_away_net(_: &mut Zst) -> Result<(), !> {
/// Removes all `Promise`s except `Stdio`.
#[cfg(all(feature = "priv_sep", target_os = "openbsd"))]
#[inline]
-pub fn pledge_away_all_but_stdio(promises: &mut Promises<6>) -> Result<(), Error> {
+pub fn pledge_away_all_but_stdio(promises: &mut Promises<7>) -> Result<(), Error> {
promises.retain([Promise::Stdio]);
promises.pledge()
}
@@ -192,10 +193,7 @@ pub fn unveil_read_file<P: AsRef<Path>>(_: P) -> Result<(), !> {
pub fn unveil_https() -> Result<(), UnveilErr> {
/// The path to the root certificate store.
const CERTS: &str = "/etc/ssl/cert.pem";
- unveil_read_file("/dev/urandom").and_then(|()| {
- unveil_read_file("/etc/resolv.conf")
- .and_then(|()| unveil_read_file(CERTS).map(|()| env::set_var("SSL_CERT_FILE", CERTS)))
- })
+ unveil_read_file(CERTS).map(|()| env::set_var("SSL_CERT_FILE", CERTS))
}
/// No-op that always returns `Ok`.
#[cfg(not(all(feature = "priv_sep", target_os = "openbsd")))]